A prefix-based approach for
managing hybrid specifications
in complex packet filtering
Author: Nizar Ben Neji, Adel Bouhoula
Publisher: Computer Networks 56 (2012)
Presenter: Yu Hao, Tzeng
Date: 2012/11/
1
Outline
•
•
•
•
Introdution
Proposed technique
Performance
Conclusion
2
Introduction
• A packet filter must support rule sets involving any type of
condition.
• Prefix-based packet filters have gained wide acceptance in the
research community for storing.
• Range-based fields need to be converted into a set of standard
prefixes to guarantee the homogeneity.
• Since multiple packet header fields can contain several range
specifications, a single rule may require multiple memory
entries.
• The difficulty lies in the fact that multiple memory entries have
to be allocated to represent a rule containing various range
specifications.
3
Introduction (Cont.)
• DRPC (direct range to prefix conversion)
• Example :
4
Introduction (Cont.)
• The NAF (Non-Adjacent Form) conversion method lets us
obtain a better conversion ratio than the previous proposed
solutions.
• Example :
5
Introduction (Cont.)
6
Introduction (Cont.)
7
Proposed technique
• Notation and definitions
• An elementary w-bit range can be written using a single w-bit
prefix.
• Example :
• 192.168.100.0 ~ 192.168.100.255 => (192.168.100.0/24)𝐶𝐼𝐷𝑅
• An extended w-bit range [L, U] of an arbitrary w-bit range [l, u] is
the smallest elementary range containing the w-bit range [l, u].
• Two w-bit ranges [𝑙1 , 𝑢1 ] and [𝑙2 , 𝑢2 ] are adjacent ranges if 𝑙2 =
𝑢1 + 1.
• Two elementary ranges [𝑙1 , 𝑢1 ] and [𝑙2 , 𝑢2 ] are consecutive if they
are adjacent and they have same widths or consecutive power of 2
widths.
• 𝑤𝑖𝑑𝑡ℎ1 − 𝑤𝑖𝑑𝑡ℎ2 = min(𝑤𝑖𝑑𝑡ℎ1 , 𝑤𝑖𝑑𝑡ℎ2 )
8
Proposed technique (Cont.)
• NAF conversion of
arbitrary range
• Direct range-to-prefix
conversion (DRPC)
• Indirect range to signed
prefixes (IRSP)
• Lower{} is a list of
Integers
• Upper{} is a list of
Integers
• Sign{} is a binary list
9
Proposed technique (Cont.)
• NAF conversion of arbitrary range
• Example :
10
Proposed technique (Cont.)
• NAF conversion of arbitrary range
• Direct range to signed prefixes (DRSP)
• DRSP is better than the indirect conversion in terms of time since it
lets us avoid the use of two conversion stages.
Arbitrary Range
DRSP
Signed Prefixes
11
Proposed technique (Cont.)
• NAF conversion of arbitrary range
• Direct range to signed prefixes (DRSP)
• isElementaryRange() is a boolean function that takes as entry an
arbitrary w-bit range [l, u] and tells whether it can be represented
using a single prefix or not.
• extendedRange() takes as entry an arbitrary range [l, u] and returns as
a result the smallest elementary range covering it.
• addSignedPrefix() stores the resulting signed prefixes in the lists
Lower{}, Upper{} and Sign{}.
12
Proposed technique (Cont.)
• NAF conversion of arbitrary range
• Algorithm
13
Proposed technique (Cont.)
• Building the two-staged data structure
14
Proposed technique (Cont.)
15
Proposed technique (Cont.)
• Building the two-staged data structure
16
Proposed technique (Cont.)
• The matching process
• Example : (100)10 = (01100100)2
17
Proposed technique (Cont.)
• The matching process
• Example : (100)10 = (01100100)2
18
Proposed technique (Cont.)
• The matching process
• searching for the longest matching prefix
• searching for the shortest prefix that does not match.
• Example : (100)10 = (01100100)2
19
Performance
20
Performance (Cont.)
21
Performance (Cont.)
22
Conclusion
• In this paper, the essential issues related to the resolution of the
range matching problem arising in the packet filtering process
were thoroughly examined and efficiently solved using the
new concept of signed prefixes.
23